Intruder Help File

Checking the above options will activate the built in rules. 
Local: Activates your personalized rules to watch for.
Bad-Traffic: Essentially looks for badly formed packets.
Scan: Representative of network scanners. These include
port scanning, Ip mapping, and various application scanners. 
Finger: Listen for connections on port 79. FINGER search query, FINGER remote command execution attempt, FINGER bomb attempt, FINGER redirection attempt among many others.
Ftp: Default port, 21. On the lookout for FTP STOR overflow attempt, FTP XCWD overflow attempt and many other. The basic idea is to watch for any overflow attempts.
Telnet: Signal any telnet exploits and unpassword protected accounts.
Rpc: If you also want to normalize Microsoft rpc traffic on port 135/tcp and detect when an rpc request is done.
Rservices: Listens for rlogin on port 513, rsh request port 514 and rexec on port 512.
Dos: On the lookout for DOS Jolt attack, DOS IGMP dos attack, DOS Real Audio Server (port 7070), DOS Winnuke attack (ports 135-139).
Ddos: Short for Distributed Denial of Service, it is an attack where multiple compromised systems (which are usually infected with a Trojan) are used to target a single system causing a Denial of Service (DoS) attack. Victims of a DDoS attack consist of both the end targeted system and all systems maliciously used and controlled by the hacker in the distributed attack.
Dns: Default port 53. Watches for DNS EXPLOIT overflow attempts.
Tftp: Signatures referring to generic GET and PUT via TFTP, which is generally frowned upon on most networks, but may be used in some other environments.
Exploit: Listens for various exploitation overflows on ports 22, 515, 2766(Solaris), 8080(proxy), 9090(VQServer) and many others.

Web-cgi: Listening on port 80 for various well known cgi script requests.
Web-coldfusion: Default port 80. Will alert if any cold fusion file request is done on your web server.
Web-iis: Will report and attempts made upon known .exe, .asp and .dll file to exploit microsoft iis server.
Web-frontpage: Dangerous front page file requests will trigger an alert.
Web-misc: Default port 80. Various alerts will be triggered upon iis server, apache, icq, Tomcat, Nessus, Lotus deldoc, Web cart, Ecommerce, Domino, Netscape, Novell, Trend Micro, Oracle web server and various java and perl scripts.
Web-client: These signatures look for two things: bad things coming from our users and attacks against our web users.
Web-php: Will be on the lookout for well known php scripts on your web server. We can't state the list here, it's way too long. Don't bother with this one if your not running php on your server.